From 549fa35bd35c5e6356099ad3ac6f4392aa0acd23 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 20 Nov 2009 14:26:26 -0500 Subject: Splitting from dev_urandom --- firewall | 179 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 firewall (limited to 'firewall') diff --git a/firewall b/firewall new file mode 100644 index 0000000..d19f0ce --- /dev/null +++ b/firewall @@ -0,0 +1,179 @@ +# Make sure we have all the commands to continue +if [[ ! `which iptables` || ! `which ifconfig` || ! `which grep` || ! `which sed` ]]; then + echo 'Essential commands are missing. Can not continue.' + exit 1 +fi + +# Check for root +if [[ $UID != 0 ]]; then + echo 'You are not root.' + exit 1 +fi + +# First set LC_ALL to en to avoid l10n problems when awk-ing IPs etc. +export LC_ALL="en" + +# Source our configuration file +source /etc/firewall.conf + +# Go into lockdown mode while we setup the rules +iptables -P INPUT DROP +iptables -P OUTPUT DROP +iptables -P FORWARD DROP + +# Flush all existing chains and erase personal chains +CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` +for i in $CHAINS; do + iptables -t $i -F + iptables -t $i -X +done +echo 1 > /proc/sys/net/ipv4/tcp_syncookies +echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + +# Source Address Verification +for f in /proc/sys/net/ipv4/conf/*/rp_filter; do + echo 1 > $f +done + +# Disable IP source routing and ICMP redirects +for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do + echo 0 > $f +done +for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do + echo 0 > $f +done +echo 1 > /proc/sys/net/ipv4/ip_forward + +# Determine the IP/Broadcast/Netmask for the outside interface +# dynamically by grepping ifconfig commands +# +# Due to absence of EXTBC in ifconfig output I manually set it +# to 255.255.255.255 this hopefully will serve the same purpose +EXTIP="`ifconfig $EXTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" +EXTBC="255.255.255.255" +EXTMSK="`ifconfig $EXTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" +EXTNET="$EXTIP/$EXTMSK" +echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" + +# Determine the IP/Broadcast/Netmask for the outside interface +# dynamically by grepping ifconfig commands +INTIP="`ifconfig $INTIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`" +INTBC="`ifconfig $INTIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`" +INTMSK="`ifconfig $INTIF|grep Mask:|sed 's/.*Mask:\([^ ]*\)/\1/'`" +INTNET="$INTIP/$INTMSK" +echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" + +# We are now going to create a few custom chains that will result in +# logging of dropped packets. This will enable us to avoid having to +# enter a log command prior to every drop we wish to log. The +# first will be first log drops the other will log rejects. +# Do not complain if chain already exists (so restart is clean) +iptables -N DROPl 2> /dev/null +iptables -A DROPl -j LOG --log-prefix 'DROPl:' +iptables -A DROPl -j DROP +iptables -N REJECTl 2> /dev/null +iptables -A REJECTl -j LOG --log-prefix 'REJECTl:' +iptables -A REJECTl -j REJECT + +# Now we are going to accpet all traffic from our loopback device +# if the IP matches any of our interfaces. +iptables -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT +iptables -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT +iptables -A INPUT -i $LPDIF -s $INTIP -j ACCEPT + +# Blocking Broadcasts +iptables -A INPUT -i $EXTIF -d $EXTBC -j DROPl +iptables -A INPUT -i $INTIF -d $INTBC -j DROPl +iptables -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl +iptables -A OUTPUT -o $INTIF -d $INTBC -j DROPl +iptables -A FORWARD -o $EXTIF -d $EXTBC -j DROPl +iptables -A FORWARD -o $INTIF -d $INTBC -j DROPl + +# Block WAN access to internal network +# +# This also stops nefarious crackers from using our network as a +# launching point to attack other people +iptables -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl + +# Now we will block internal addresses originating from anything but our +# two predefined interfaces... just remember that if you jack your +# your laptop or another pc into one of these NIC's directly, you'll need +# to ensure that they either have the same ip or that you add a line explicitly +# for that IP as well +iptables -A INPUT -i $INTIF -s ! $INTNET -j DROPl +iptables -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl +iptables -A FORWARD -i $INTIF -s ! $INTNET -j DROPl +iptables -A FORWARD -o $INTIF -d ! $INTNET -j DROPl + +# An additional Egress check +iptables -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl + +# Block outbound ICMP (except for PING) +iptables -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl +iptables -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl + +# Explicitly block TCP ports +for i in $TCPBLOCK; do + iptables -A INPUT -p tcp --dport $i -j DROPl + iptables -A OUTPUT -p tcp --dport $i -j DROPl + iptables -A FORWARD -p tcp --dport $i -j DROPl +done + +# Explicitly block UDP ports +for i in $UDPBLOCK; do + iptables -A INPUT -p udp --dport $i -j DROPl + iptables -A OUTPUT -p udp --dport $i -j DROPl + iptables -A FORWARD -p udp --dport $i -j DROPl +done + +# Open inbound service ports +for i in $INPORTS; do + iptables -A INPUT -p tcp --dport $i -j ACCEPT +done + +iptables -A FORWARD -t filter -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -t filter -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + +# Opening up ftp connection tracking +MODULES="ip_nat_ftp ip_conntrack_ftp" +for i in $MODULES; do + modprobe $i +done + +# Allow inside systems to use external services +for i in $TCPSERV; do + iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT + iptables -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT +done + +for i in $UDPSERV; do + iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT + iptables -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT +done + +# Allow to ping out +iptables -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT +iptables -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT + +# Allow firewall to ping internal systems +iptables -A OUTPUT -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT + +# Allow a few services internally +iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 80 -m state --state NEW -j ACCEPT +iptables -A OUTPUT -o $INTIF -p tcp -s $INTNET --dport 443 -m state --state NEW -j ACCEPT +iptables -A INPUT -i $INTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT + +# Setup dynamic NAT +iptables -t nat -A PREROUTING -j ACCEPT +iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE +iptables -t nat -A POSTROUTING -j ACCEPT +iptables -t nat -A OUTPUT -j ACCEPT +iptables -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT +iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT +iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT + +# Block and log what me may have forgot +iptables -A INPUT -j DROPl +iptables -A OUTPUT -j REJECTl +iptables -A FORWARD -j DROPl \ No newline at end of file -- cgit v1.2.3